(RADIATOR) RadSec and IPv6?

Mike McCauley mikem at open.com.au
Fri Jul 7 18:59:11 CDT 2006

Hello Patrick,

Looks like you have sanitized the log file and config file (understandably), 
but it makes it hard for me to be sure what is going on. Perhaps you will 
send to me privately unsanitized (except for passwords) logs and config file 
for both the successful IPV4 and unsuccessful IPV6 cases.

You should note that if the IPV4 case works OK, then it is possible the 
certificate is for the IPV4 DNS host name, which may not work in the IPV6 
case (ie if the IPV4 and IPV6 DNS Host names are different then you will need 
either different certificates or use a subject alt name in the certificate.)


On Friday 07 July 2006 19:52, Patrick Renkens wrote:
> Hi all,
> We have succesfully set up RadSec over IPv4 with Radiator 3.15, see
> configuration details at the end of this mail.
> At this stage we use RadSec to transport accounting records in a save
> way. It runs smoothly.
> However we would like to setup RadSec over IPv6.
> When we use the correct IPv6 addresses with the 'Host' statement, we get
> errors like below.
> Is this a problem concerning the RadSec implementation of a certificate
> problem?
> Any other relevant information:
> - We use the same certificates for IPv4 and IPv6.
> - Both systems run Solaris 5.9 and Radiator 3.15.
> - DNS for IPv4 and IPv6 is correctly configured, including reverse.
> - There is no firewall problem, TCP port 2083 is open either way.
> DEBUG: Stream attempting tcp connection to ipv6:...:2083
> DEBUG: Stream connection in progress to ipv6:...:2083
> DEBUG: Stream connected to ipv6:...:2083
> DEBUG: StreamTLS sessionInit for ipv6:...
> DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
> DEBUG: StreamTLS Client Started for ipv6:...:2083
> DEBUG: Verifying certificate with Subject '/C=NL/O=.../OU=.../CN=...'
> presented by peer ipv6:...
> ERR: Verification of certificate presented by ipv6:... failed
> DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> ERR: StreamTLS client error: -1, 1, 4401,  24610: 1 - error:14090086:SSL
> routines:SSL3_GET_
> SERVER_CERTIFICATE:certificate verify failed
> <AuthBy RADSEC>
>          Identifier              ACCOUNTING
>          Host                    ipv4 hostname and domain
>          Port                    2083
>          Protocol                tcp
>          Secret                  ...
>          UseTLS                  1
>          TLS_CAFile              %D/cert/ca.crt
>          TLS_CertificateFile     %D/cert/'host.domain'.crt
>          TLS_CertificateType     PEM
>          TLS_PrivateKeyFile      %D/cert/'host.domain'.key
>          IgnoreAuthentication
>          IgnoreAccountingResponse
> </AuthBy>
> BindAddress,ipv6:...
> <ServerRADSEC>
>          Port                    2083
>          Protocol                tcp
>          UseTLS
>          TLS_CAFile              %D/cert/ca.crt
>          TLS_CertificateFile     %D/cert/'host.domain'.crt
>          TLS_CertificateType     PEM
>          TLS_PrivateKeyFile      %D/cert/'host.domain'.key
>          TLS_RequireClientCert
>          TLS_SessionResumption   0
>          Secret                  ...
>          Identifier              RADSEC
> </ServerRADSEC>

Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list